Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2309
Views
0
Helpful
6
Replies

CSC SSM slows down internet traffic

kpoon
Level 1
Level 1

‎05-18-2011 02:52 PM - edited ‎03-11-2019 01:35 PM

Hello,

We have Cisco ASA 5510 256RAM running 8.2.4 with CSC 6.3.1172.4, it slows down internet traffics drastically when we do speed test, we get something like this

Unknown.png

It the computer is bypassing the CSC, it gets

Unknown-1.png

This was done when there's very low traffic on the LAN and CPU is low usage on the CSC.

The CSC has been re-imaged also but still doesn't solve the problem.

All tests are done with the same test server.

Any idea?

Thanks.

Labels:
0 Helpful
6 Replies 6

Maykol Rojas
Cisco Employee
Cisco Employee

‎05-18-2011 06:55 PM

Hi,

Do you have HTTP scanning by any chance? It is expected to see that those numbers go down, but not like that.... If you do a download, is it being reflected? Is it all internet traffic or just http?

Mike.

Mike
0 Helpful

kpoon
Level 1
Level 1
In response to Maykol Rojas

‎05-19-2011 05:29 AM

Hi,

I don't have inspect HTTP on. according to http://www.speedtest.net/, the download is being reflected all the time. I believe it's all traffic that goes thru the CSC. For now I've even turned off ftp scanning. Here's my configuration:

access-list throttle_frontline extended permit ip host 7.x.x.x.x any
access-list throttle_frontline extended permit ip any host 7.x.x.x

access-list cscTraffic extended deny ip host 192.168.10.254 any
access-list cscTraffic extended deny ip object-group admin-ip any
access-list cscTraffic extended deny ip any object-group tms-ip
access-list cscTraffic extended permit object-group TCPUDP any any eq www
access-list cscTraffic extended permit tcp any any eq https
access-list cscTraffic extended permit tcp any any eq smtp
access-list cscTraffic extended permit tcp any any eq ftp inactive

!
class-map global-class
match default-inspection-traffic
class-map csc-class
match access-list cscTraffic
class-map throttle_frontline
match access-list throttle_frontline
!
!
policy-map throttle-policy
class throttle_frontline
  police input 600000 2000
  police output 600000 2000
policy-map global-policy
class global-class
  inspect pptp
  inspect ftp
  inspect ipsec-pass-thru
  inspect xdmcp
  inspect h323 h225
  inspect h323 ras
  inspect sip 
class csc-class
  csc fail-open
!
service-policy global-policy global
service-policy throttle-policy interface outside

0 Helpful

brquinn
Level 1
Level 1
In response to kpoon

‎05-19-2011 06:04 AM

The time change with ping doesn't make sense. That traffic is not going through the CSC module. That alone makes the numbers a bit suspicious. From what you indicated, the only change was removing the service policy for the CSC module on the ASA. Is that correct?

I see you have a policing policy in place as well. If you remove the policing policy, but leave the CSC policy in place, do you see an improvement?

Is scanning enabled on the CSC? By its very nature, scanning will cache all files before they are sent to the end host. This breaks how the speed test determines its speed. (measuring how long it takes a file to be download) You can enable deferred scanning for files larger than 1MB, but the CSC still needs to complete its AV scan prior to sending the last byte of data to the client.

Finally, what version are you running on your CSC module and on your ASA?

Thanks,

Brendan

0 Helpful

kpoon
Level 1
Level 1
In response to brquinn

‎05-19-2011 06:46 AM

The time change in ping is even worse now after I re-flashed the CSC module. It's about >300ms.

The moment I do this,

      access-list cscTraffic line 4 extended permit object-group TCPUDP any any eq http  inactive
      access-list cscTraffic line 5 extended permit tcp any any eq https  inactive

The ping time comes back to normal, ~15ms, the speed as well.

     or any systems belong to admin-ip or tms-ip groups are fine as well since they completely bypass the CSC

The policing policy doesn't affect the result whether it's enabled or disabled.

Scanning is enabled on the CSC, I am just puzzled why the results changes in such drastic fashion. I am expecting slow down with scanning but not at that extend.

CSC is version 6.3.1172.4

ASA is version 8.2(4), I can't upgrade to 8.3+ since I only have 256MB, correct me if I am wrong.

ASDM is version 6.4(1)

Thanks.

0 Helpful

brquinn
Level 1
Level 1
In response to kpoon

‎05-19-2011 06:59 AM

The CSC does not scan https or any UDP ports. The only 4 TCP ports you should send are smtp, http, ftp, and pop3. It also doesn't make any sense that this would affect ICMP traffic unless there was some rule marking the ICMP traffic to be sent through the CSC module as well.

Scanning will definitely interfere with the results of an online speed test. The test is an app that essentially tracks how long it takes the file to download. By performing scanning, the results of this test are invalid because it does not accurately portray the speed of your internet connection.

Please keep in mind that this doesn't necessarily mean you are wasting bandwidth since there is never only one user browsing at a time.

Thanks,

Brendan

0 Helpful

kpoon
Level 1
Level 1
In response to brquinn

‎05-19-2011 07:22 AM

Perhaps it's as you have said, the online app doesn't necessary portrait the bandwidth correctly with CSC.

I've done real life ping time test, and it turns out correctly.

I've changed the access-list to only TCP.

Thanks for your explaination.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card